Closed
Bug 1395211
Opened 7 years ago
Closed 7 years ago
Crash in MessageLoop::PostTask_Helper (on Windows)
Categories
(Core :: IPC, defect, P2)
Tracking
()
RESOLVED
DUPLICATE
of bug 1398070
People
(Reporter: jesup, Assigned: billm)
Details
(Keywords: crash, csectype-uaf, sec-high)
Crash Data
+++ This bug was initially created as a clone of Bug #1394788 +++
Note this is for non-android crashes with this signature, which have a different cause it appears.
This is a frequent clear UAF/random-ptr crash on windows.
https://crash-stats.mozilla.com/signature/?platform=%21Android&signature=MessageLoop%3A%3APostTask_Helper&date=%3E%3D2017-08-23T15%3A28%3A00.000Z&date=%3C2017-08-30T15%3A28%3A00.000Z&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_columns=install_time&_sort=-date&page=1#reports
For example: https://crash-stats.mozilla.com/report/index/b0cd0453-e282-4113-a985-e335f0170830 and https://crash-stats.mozilla.com/report/index/7b1010f2-dea2-452c-afd3-73caa0170830
50-ish each are called from MessageChannel::OnChannelErrorFromLink()/PostErrorNotifyTask()
450ish are called from OnMessageReceivedFromLink()
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(wmccloskey)
|
Assignee | |
Comment 1•7 years ago
|
||
It's pretty likely that these are cases where a thread is being shut down while there is still an IPC channel directing messages to it. We need to figure out which IPC channel is involved and fix it. The assertions in bug 1349699 were meant to help figure that out, but they ended up increasing the crash rate and so I backed one of them out. Bug 1395330 will re-enable the assertion. That's pretty much all I can do to help here.
Flags: needinfo?(wmccloskey)
|
||
Comment 3•7 years ago
|
||
Yeah, most of the cases I saw with poison values were in xpcom shutdown.
|
|
Reporter | |
Comment 4•7 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #2)
> Also, isn't this is a dupe of bug 1320771?
Likely it is... ETOOMANYSIGNATURES
Though it's useful to point out it's still with us, even if temporarily hidden under a zillion android crashes
Flags: needinfo?(rjesup)
|
||
Updated•7 years ago
|
Group: core-security → dom-core-security
|
||
Updated•7 years ago
|
status-firefox56:
--- → affected
status-firefox57:
--- → affected
|
|
||
Updated•7 years ago
|
Priority: -- → P2
Bill, please investigate and fix these bugs or assign them to appropriate developers. Thanks!
Assignee: nobody → wmccloskey
|
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(wmccloskey)
|
|
Assignee | |
Comment 6•7 years ago
|
||
I'm going to close this. The remaining crashes with the PostTask_Helper signature all appear to be gfx-related. I filed bug 1413011 for those.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(wmccloskey)
Resolution: --- → DUPLICATE
|
|
||
Updated•4 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•